Trunk crashes with SIGBUS in gpu::gles2::ProgramCache::ComputeProgramHash on the device

Bug #1490868 reported by Chris Coulson on 2015-09-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Oxide
Critical
Chris Coulson

Bug Description

(gdb) bt
#0 gpu::gles2::ProgramCache::ComputeProgramHash (this=this@entry=0xabd54640,
    hashed_shader_0=hashed_shader_0@entry=0x9793a5c8 "\t\360\f\362\341\317\362\204\311R\301_\347\351\326\357E۸89\027&\361\300\215\376=;\232\226M\035\062\270b\340\r&",
    hashed_shader_1=hashed_shader_1@entry=0x9793a5dc "9\027&\361\300\215\376=;\232\226M\035\062\270b\340\r&",
    bind_attrib_location_map=bind_attrib_location_map@entry=0x8ff20a74,
    transform_feedback_varyings=std::vector of length 0, capacity 0,
    transform_feedback_buffer_mode=transform_feedback_buffer_mode@entry=0,
    result=result@entry=0x9793a5f0 "`\246\223\227U")
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/program_cache.cc:128
#1 0xad650458 in gpu::gles2::ProgramCache::GetLinkedProgramStatus (
    this=this@entry=0xabd54640,
    shader_signature_a="#define TexCoordPrecision highp\n attribute TexCoordPrecision vec4 a_position; attribute float a_index; uniform mat4 matrix; uniform TexCoordPrecision vec2 quad[4]; void main() { vec2 pos = quad[int(a"...,
    shader_signature_b=" precision mediump float; uniform vec4 color; void main() { gl_FragColor = color; } :CompileOptions:292876:MaxVertexAttribs:16:MaxVertexUniformVectors:256:MaxVaryingVectors:15:MaxVertexTextureImageUn"...,
    bind_attrib_location_map=bind_attrib_location_map@entry=0x8ff20a74,
    transform_feedback_varyings=std::vector of length 0, capacity 0,
    transform_feedback_buffer_mode=0)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/program_cache.cc:40
#2 0xad65579a in gpu::gles2::Program::Link(gpu::gles2::ShaderManager*, gpu::gles2::Program::VaryingsPackingOption, base::Callback<void (std::string const&, std::string const&)> const&) (this=this@entry=0x8ff20a18,
    manager=<optimized out>,
    varyings_packing_option=gpu::gles2::Program::kCountOnlyStaticallyUsed,
    shader_callback=...)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/program_manager.cc:593
#3 0xad62c298 in gpu::gles2::GLES2DecoderImpl::DoLinkProgram (
    this=0xafeaf4d8, program_id=3)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:6349
#4 0xad62c518 in gpu::gles2::GLES2DecoderImpl::HandleLinkProgram (
    this=<optimized out>, immediate_data_size=<optimized out>,
    cmd_data=<optimized out>)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:2388
#5 0xad638748 in gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> (
    this=0xafeaf4d8, num_commands=<optimized out>, buffer=<optimized out>,
    num_entries=88, entries_processed=0x9793a87c)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/gles2_cmd_decoder.cc:4378
#6 0xad6117ea in gpu::CommandParser::ProcessCommands (this=0xabf01060,
    num_commands=num_commands@entry=20)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/cmd_parser.cc:52
#7 0xad648078 in gpu::GpuScheduler::PutChanged (this=0xafe8f070)
    at ../../../../third_party/chromium/src/gpu/command_buffer/service/gpu_scheduler.cc:75
#8 0xad2ded14 in content::GpuCommandBufferStub::OnAsyncFlush (
    this=this@entry=0xabd4e748, put_offset=442, flush_count=3,
    latency_info=std::vector of length 0, capacity 0)
    at ../../../../third_party/chromium/src/content/common/gpu/gpu_command_buffer_stub.cc:787
#9 0xad2e1662 in DispatchToMethodImpl<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(int, unsigned int, std::vector<ui::LatencyInfo> const&), int, unsigned int, std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> >, 0u, 1u, 2u> (arg=..., method=
    (void (content::GpuCommandBufferStub::*)(content::GpuCommandBufferStub * const, int, unsigned int, const std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > &)) 0xad2decb5 <content::GpuCommandBufferStub::OnAsyncFlush(int, unsigned int, std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > const&)>, obj=0xabd4e748) at ../../../../third_party/chromium/src/base/tuple.h:254
#10 DispatchToMethod<content::GpuCommandBufferStub, void (content::GpuCommandBuf
ferStub::*)(int, unsigned int, std::vector<ui::LatencyInfo> const&), int, unsigned int, std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > > (
    arg=..., method=
    (void (content::GpuCommandBufferStub::*)(content::GpuCommandBufferStub * const, int, unsigned int, const std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > &)) 0xad2decb5 <content::GpuCommandBufferStub::OnAsyncFlush(int, unsigned int, std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > const&)>, obj=0xabd4e748) at ../../../../third_party/chromium/src/base/tuple.h:261
#11 Dispatch<content::GpuCommandBufferStub, content::GpuCommandBufferStub, void, void (content::GpuCommandBufferStub::*)(int, unsigned int, std::vector<ui::LatencyInfo> const&)> (sender=0xabd4e748, parameter=0x0, func=
    (void (content::GpuCommandBufferStub::*)(content::GpuCommandBufferStub * const, int, unsigned int, const std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > &)) 0xad2decb5 <content::GpuCommandBufferStub::OnAsyncFlush(int, unsigned int, std::vector<ui::LatencyInfo, std::allocator<ui::LatencyInfo> > const&)>, obj=0xabd4e748, msg=0xabd3d490)
    at ../../../../third_party/chromium/src/content/common/gpu/gpu_messages.h:543
#12 content::GpuCommandBufferStub::OnMessageReceived (this=0xabd4e748, message=
    ...)
    at ../../../../third_party/chromium/src/content/common/gpu/gpu_command_buffer_stub.cc:285
#13 0xad2ee62c in content::MessageRouter::RouteMessage (
    this=this@entry=0xabfd231c, msg=...)
    at ../../../../third_party/chromium/src/content/common/message_router.cc:54
#14 0xad2dd5ae in content::GpuChannel::HandleMessage (this=0xabfd22b8)
    at ../../../../third_party/chromium/src/content/common/gpu/gpu_channel.cc:731
#15 0xad00339a in Run (this=0x9793ad18)
    at ../../../../third_party/chromium/src/base/callback.h:396
#16 base::debug::TaskAnnotator::RunTask (this=this@entry=0xabe509b0,
    queue_function=0xaef37744 "MessageLoop::PostTask", pending_task=...)
    at ../../../../third_party/chromium/src/base/debug/task_annotator.cc:51
#17 0xad0187ca in base::MessageLoop::RunTask (this=this@entry=0xabe508f0,
    pending_task=...)
    at ../../../../third_party/chromium/src/base/message_loop/message_loop.cc:481
#18 0xad018a4a in base::MessageLoop::DeferOrRunPendingTask (
    this=this@entry=0xabe508f0, pending_task=...)
    at ../../../../third_party/chromium/src/base/message_loop/message_loop.cc:490
#19 0xad018e38 in base::MessageLoop::DoWork (this=0xabe508f0)
    at ../../../../third_party/chromium/src/base/message_loop/message_loop.cc:602
#20 0xad01a098 in base::MessagePumpDefault::Run (this=0xac0ebbb8,
    delegate=0xabe508f0)
    at ../../../../third_party/chromium/src/base/message_loop/message_pump_default.cc:34
#21 0xad026064 in base::RunLoop::Run (this=this@entry=0x9793ae10)
    at ../../../../third_party/chromium/src/base/run_loop.cc:55
#22 0xad018414 in base::MessageLoop::Run (this=<optimized out>)
    at ../../../../third_party/chromium/src/base/message_loop/message_loop.cc:288
#23 0xad037106 in Run (message_loop=<optimized out>, this=0xabe50128)
    at ../../../../third_party/chromium/src/base/threading/thread.cc:199
#24 base::Thread::ThreadMain (this=0xabe50128)
    at ../../../../third_party/chromium/src/base/threading/thread.cc:251
#25 0xad034db2 in base::(anonymous namespace)::ThreadFunc (
    params=<optimized out>)
    at ../../../../third_party/chromium/src/base/threading/platform_thread_posix.cc:64
#26 0xb5d25490 in start_thread () from /lib/arm-linux-gnueabihf/libpthread.so.0
#27 0xb5dc7c4c in ?? () from /lib/arm-linux-gnueabihf/libc.so.6

(gdb) p $_siginfo
$1 = {si_signo = 7, si_errno = 0, si_code = 1, _sifields = {_pad = {
      -1359799887, 1477047, -1231125951, 0, 0, 0, 0, 0, 256899064, 0, 0,
      1486937, 0, 0, 0, 0, 192224672, -1098449352, 192224672, 21663432,
      -1098449796, 1, 44, 0, -1098449796, 0, 0, -1385888812, 269287240},
    _kill = {si_pid = -1359799887, si_uid = 1477047}, _timer = {
      si_tid = -1359799887, si_overrun = 1477047, si_sigval = {
        sival_int = -1231125951, sival_ptr = 0xb69e8241}}, _rt = {
      si_pid = -1359799887, si_uid = 1477047, si_sigval = {
        sival_int = -1231125951, sival_ptr = 0xb69e8241}}, _sigchld = {
      si_pid = -1359799887, si_uid = 1477047, si_status = -1231125951,
      si_utime = 0, si_stime = 0}, _sigfault = {si_addr = 0xaef319b1},
    _sigpoll = {si_band = -1359799887, si_fd = 1477047}}}

Changed in oxide:
importance: Undecided → Critical
status: New → Triaged
milestone: none → branch-1.10
assignee: nobody → Chris Coulson (chrisccoulson)
Chris Coulson (chrisccoulson) wrote :

So, this is a BUS_ADRALN (invalid address alignment) error

Chris Coulson (chrisccoulson) wrote :

The code that crashes is this line:

128 memcpy(&buffer[current_pos], ANGLE_COMMIT_HASH, angle_commit_size);

This memcpy implementation looks like this:

=> 0xad6503d4 <+436>: ldmia r3!, {r0, r1, r2}
   0xad6503d6 <+438>: str.w r0, [r11, #40] ; 0x28
   0xad6503da <+442>: str.w r1, [r11, #44] ; 0x2c
   0xad6503de <+446>: str.w r2, [r11, #48] ; 0x30

The first instruction loads 12 bytes (ANGLE_COMMIT_HASH) from the address pointed to by r3 in to r0, r1 and r2. The following 3 instructions store these 12 bytes in to |buffer|. It crashes on the first instruction.

r3 points to an address in the .rodata section, as expected. It's clearly misaligned:

(gdb) info registers
r0 0x4d969a3b 1301715515
r1 0x260de0 2493920
r2 0xefd6e9e7 4023839207
r3 0xaef319b1 2935167409
r4 0x27 39
r5 0x3dfe8dc0 1040092608
r6 0x8ff20a74 2415004276
r7 0x9793a5dc 2543035868
r8 0x9793a5c8 2543035848
r9 0x8ff20aa4 2415004324
r10 0x5f 95
r11 0xafebfc68 2951478376
r12 0xb5f72774 3052873588
sp 0x9793a588 0x9793a588
lr 0xafe00018 -1344274408
pc 0xad6503d4 0xad6503d4 <gpu::gles2::ProgramCache::ComputeProgramHash(char const*, char const*, std::map<std::string, int, std::less<std::string>, std::allocator<std::pair<std::string const, int> > > const*, std::vector<std::string, std::allocator<std::string> > const&, unsigned int, char*) const+436>
cpsr 0x60070030 1611071536

Changed in oxide:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers